b'                                                     U.S. OFFICE OF PERSONNEL MANAGEMENT\n                                                           OFFICE OF THE INSPECTOR GENERAL\n                                                                            OFFICE OF AUDITS\n\n\n\n\n                                   Final Audit Report\n\nSubject:\n\n\n                FEDERAL INFORMATION SECURITY\n                   MANAGEMENT ACT AUDIT\n                            FY 2013\n\n                                           Report No. 4A-CI-00-13-021\n\n\n                                           Date:                November 21, 2013\n\n\n\n\n                                                          --CAUTION--\nThis audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit\nreport may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available\nunder the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be exercised before\nreleasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.\n\x0c                                                       Audit Report\n\n                              U.S. OFFICE OF PERSONNEL MANAGEMENT\n                               -------------------------------------------------------------\n\n                                     FEDERAL INFORMATION SECURITY\n                                        MANAGEMENT ACT AUDIT\n                                                     FY 2013\n                                          --------------------------------\n                                            WASHINGTON, D.C.\n\n\n\n\n                                           Report No. 4A-CI-00-13-021\n\n\n                                           Date:               November 21, 2013\n\n\n\n\n                                                                                     Michael R. Esser\n                                                                                     Assistant Inspector General\n                                                                                       for Audits\n\n                                                          --CAUTION--\nThis audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit\nreport may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available\nunder the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be exercised before\nreleasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.\n\x0c                                   Executive Summary\n\n                     U.S. OFFICE OF PERSONNEL MANAGEMENT\n                      -------------------------------------------------------------\n\n                          FEDERAL INFORMATION SECURITY\n                             MANAGEMENT ACT AUDIT\n                                          FY 2013\n                               --------------------------------\n                                 WASHINGTON, D.C.\n\n\n\n\n                               Report No. 4A-CI-00-13-021\n\n\n                               Date:            November 21, 2013\n\n\n\nThis final audit report documents the Office of Personnel Management\xe2\x80\x99s (OPM) continued\nefforts to manage and secure its information resources.\n\nOver the past several years, the Office of the Chief Information Officer (OCIO) made\nnoteworthy improvements to OPM\xe2\x80\x99s IT security program. However, we are concerned that these\nefforts have recently stalled due to resource limitations.\n\nIn the FY 2007 FISMA report, we noted a material weakness related to the lack of IT security\npolicies and procedures. In FY 2009, we expanded the material weakness to include the lack of\na centralized security management structure necessary to implement and enforce IT security\npolicies.\n\nLittle progress was made in the subsequent years to address these issues. However, in FY 2012,\nthe OPM Director issued a memo mandating the centralization of IT security duties to a team of\nInformation System Security Officers (ISSO) that report to the OCIO. This change was a major\nmilestone in addressing the material weakness.\n\n\n\n                                                   i\n\x0cHowever, as of the end of FY 2013, the centralized ISSO structure has only been partially\nimplemented. The OCIO had filled three ISSO positions and assigned security responsibility for\n17 of the agency\xe2\x80\x99s 47 information systems to these individuals. The OCIO has a plan to hire\nenough ISSOs to manage the security of all 47 systems, but this plan continues to be hindered by\nbudget restrictions.\n\nWe acknowledge that the existing ISSOs are effectively performing security work for the limited\nnumber of systems they manage, but there are still many OPM systems that have not been\nassigned to an ISSO. The findings in this audit report highlight the fact that OPM\xe2\x80\x99s\ndecentralized governance structure continues to result in many instances of non-compliance with\nFISMA requirements. Therefore, we are again reporting this issue as a material weakness for FY\n2013.\n\nIn addition to the issues described above, we noted the following controls in place and\nopportunities for improvement:\n\xe2\x80\xa2   The Security Assessment and Authorization packages completed in FY 2013 appeared to be\n    an improvement over Authorizations completed in prior years, and the packages present a\n    more uniform approach to IT security.\n\xe2\x80\xa2   The OCIO has implemented risk management procedures at a system-specific level, but has\n    not developed an agency-wide risk management methodology.\n\xe2\x80\xa2   The OCIO has implemented an agency-wide information system configuration management\n    policy and has established configuration baselines for all operating platforms used by the\n    agency, with the exception of                             . In addition,\n              are not routinely scanned for compliance with configuration baselines.\n\xe2\x80\xa2   The OCIO routinely conducts vulnerability scans of production servers, and has improved its\n    capability to track outstanding vulnerabilities. However, the OCIO has not documented\n    accepted weaknesses for servers or databases.\n\xe2\x80\xa2   The OCIO has implemented a process to apply operating system patches on all devices\n    within OPM\xe2\x80\x99s network on a weekly basis.\n\xe2\x80\xa2   The OCIO has developed thorough incident response capabilities, but does not have a\n    centralized network security operations center to continuously monitor security events.\n\xe2\x80\xa2   Our review of Plans of Action and Milestones (POA&M) indicated that many system owners\n    are not meeting the self-imposed remediation deadlines listed on the POA&Ms. In addition\n    we noted that the owners of 10 systems have not identified the resources needed to address\n    POA&M weaknesses, as required by OPM\xe2\x80\x99s POA&M policy.\n\xe2\x80\xa2   The OCIO enforces the use of two-factor authentication for remote access, but Virtual\n    Private Network sessions do not                                       , as required by\n    OPM\xe2\x80\x99s Information Technology Security FISMA Procedures.\n\xe2\x80\xa2   OPM is not compliant with Office of Management and Budget Memorandum M-11-11, as no\n    OPM systems require two-factor authentication using PIV credentials.\n\xe2\x80\xa2   The OCIO has developed the ability to detect unauthorized devices connected to the OPM\n    network.\n\n\n                                                ii\n\x0c\xe2\x80\xa2   The OCIO has taken steps toward implementing a continuous monitoring program at OPM;\n    however, this project remains a work in progress.\n\xe2\x80\xa2   The IT security controls were adequately tested for only 34 of 47 information systems in\n    OPM\xe2\x80\x99s inventory.\n\xe2\x80\xa2   The contingency plans were adequately tested for only 40 of 47 information systems in\n    OPM\xe2\x80\x99s inventory.\n\xe2\x80\xa2   There is not a coordinated contingency plan/disaster recovery test between OPM\xe2\x80\x99s various\n    general support systems.\n\xe2\x80\xa2   OPM maintains an adequate security capital planning and investment program for\n    information security.\n\xe2\x80\xa2   OPM is continuing its efforts to reduce the unnecessary use of Social Security Numbers.\n\n\n\n\n                                               iii\n\x0c                                                                 Contents\n                                                                                                                                               Page\n\n\nExecutive Summary ......................................................................................................................... i\nIntroduction ..................................................................................................................................... 1\nBackground ..................................................................................................................................... 1\nObjectives ....................................................................................................................................... 1\nScope and Methodology ................................................................................................................. 2\nCompliance with Laws and Regulations......................................................................................... 4\nResults ............................................................................................................................................. 5\n    I.        Information Security Governance .................................................................................... 5\n    II.       Security Assessment and Authorization .......................................................................... 7\n    III.      Risk Management ............................................................................................................ 8\n    IV.       Configuration Management ............................................................................................. 9\n    V.        Incident Response and Reporting .................................................................................. 12\n    VI.       Security Training ........................................................................................................... 13\n    VII. Plan of Action and Milestones ....................................................................................... 14\n    VIII. Remote Access Management ......................................................................................... 16\n    IX.       Identity and Access Management .................................................................................. 17\n    X.        Continuous Monitoring Management ............................................................................ 18\n    XI.       Contingency Planning .................................................................................................... 20\n    XII. Contractor Systems ........................................................................................................ 22\n    XIII. Security Capital Planning .............................................................................................. 23\n    XIV. Follow-up of Prior OIG Audit Recommendations......................................................... 23\nMajor Contributors to this Report ................................................................................................. 25\n\nAppendix I: Status of Prior OIG Audit Recommendations\nAppendix II: The Office of the Chief Information Officer\xe2\x80\x99s October 16, 2013 comments on the\n              draft audit report, issued September 25, 2013.\nAppendix III: FY 2013 Inspector General FISMA reporting metrics.\n\x0c                                        Introduction\nOn December 17, 2002, the President signed into law the E-Government Act (Public Law 107-\n347), which includes Title III, the Federal Information Security Management Act (FISMA).\nFISMA requires (1) annual agency program reviews, (2) annual Inspector General (IG)\nevaluations, (3) agency reporting to the Office of Management and Budget (OMB) the results of\nIG evaluations for unclassified systems, and (4) an annual OMB report to Congress summarizing\nthe material received from agencies. In accordance with FISMA, we conducted an evaluation of\nOPM\xe2\x80\x99s security program and practices. As part of our evaluation, we reviewed OPM\xe2\x80\x99s FISMA\ncompliance strategy and documented the status of its compliance efforts.\n\n                                        Background\nFISMA requirements pertain to all information systems supporting the operations and assets of\nan agency, including those systems currently in place or planned. The requirements also pertain\nto information technology (IT) resources owned and/or operated by a contractor supporting\nagency systems.\n\nFISMA reemphasizes the Chief Information Officer\xe2\x80\x99s strategic, agency-wide security\nresponsibility. At OPM, security responsibility is assigned to the agency\xe2\x80\x99s Office of the Chief\nInformation Officer (OCIO). FISMA also clearly places responsibility on each agency program\noffice to develop, implement, and maintain a security program that assesses risk and provides\nadequate security for the operations and assets of programs and systems under its control.\n\nTo assist agencies and IGs in fulfilling their FISMA evaluation and reporting responsibilities, the\nDepartment of Homeland Security (DHS) Office of Cybersecurity and Communication issued\nthe Fiscal Year (FY) 2013 Inspector General FISMA Reporting Instructions. This document\nprovides a consistent form and format for agencies to report FISMA audit results to DHS. It\nidentifies a series of reporting topics that relate to specific agency responsibilities outlined in\nFISMA. Our audit and reporting strategies were designed in accordance with the above DHS\nguidance.\n\n                                          Objectives\nOur overall objective was to evaluate OPM\xe2\x80\x99s security program and practices, as required by\nFISMA. Specifically, we reviewed the status of the following areas of OPM\xe2\x80\x99s IT security\nprogram in accordance with DHS\xe2\x80\x99s FISMA IG reporting requirements:\n\xe2\x80\xa2   Risk Management;\n\xe2\x80\xa2   Configuration Management;\n\xe2\x80\xa2   Incident Response and Reporting Program;\n\xe2\x80\xa2   Security Training Program;\n\xe2\x80\xa2   Plans of Action and Milestones (POA&M) Program;\n\xe2\x80\xa2   Remote Access Program;\n\xe2\x80\xa2   Identity and Access Management;\n\xe2\x80\xa2   Continuous Monitoring Program;\n\n\n                                                 1\n\x0c\xe2\x80\xa2   Contingency Planning Program;\n\xe2\x80\xa2   Agency Program to Oversee Contractor Systems; and\n\xe2\x80\xa2   Agency Security Capital Planning Program.\n\nIn addition, we evaluated the status of OPM\xe2\x80\x99s IT security governance structure, an area that has\nrepresented a material weakness in OPM\xe2\x80\x99s IT security program in prior FISMA audits.\n\nWe also audited the security controls of three major applications/systems at OPM (see Scope and\nMethodology for details of these audits), and audited the OCIO\xe2\x80\x99s use of a Common Security\nControls Catalog. We also followed-up on outstanding recommendations from prior FISMA\naudits (see Appendix I).\n\n                               Scope and Methodology\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions\nbased on our audit objectives. We believe that the evidence obtained provides a reasonable basis\nfor our findings and conclusions based on our audit objectives. The audit covered OPM\xe2\x80\x99s\nFISMA compliance efforts throughout FY 2013.\n\nWe reviewed OPM\xe2\x80\x99s general FISMA compliance efforts in the specific areas defined in DHS\xe2\x80\x99s\nguidance and the corresponding reporting instructions. We also performed information security\naudits on:\n\xe2\x80\xa2   USA Staffing (Report No. 4A-HR-00-13-024, issued June 21, 2013);\n\xe2\x80\xa2   Personnel Investigations Processing System (Report No. 4A-IS-00-13-022, issued June 24,\n    2013);\n\xe2\x80\xa2   Serena Business Manager (Report No. 4A-CI-00-13-023, issued July 19, 2013); and\n\xe2\x80\xa2   Common Security Controls Catalog (report No. 4A-CI-00-13-036, issued October 10, 2013).\n\nWe considered the internal control structure for various OPM systems in planning our audit\nprocedures. These procedures were mainly substantive in nature, although we did gain an\nunderstanding of management procedures and controls to the extent necessary to achieve our\naudit objectives. Accordingly, we obtained an understanding of the internal controls for these\nvarious systems through interviews and observations, as well as inspection of various documents,\nincluding information technology and other related organizational policies and procedures. This\nunderstanding of these systems\xe2\x80\x99 internal controls was used to evaluate the degree to which the\nappropriate internal controls were designed and implemented. As appropriate, we conducted\ncompliance tests using judgmental sampling to determine the extent to which established\ncontrols and procedures are functioning as required.\n\nIn conducting our audit, we relied to varying degrees on computer-generated data provided by\nOPM. Due to time constraints, we did not verify the reliability of the data generated by the\nvarious information systems involved. However, we believe that the data was sufficient to\n\n\n\n\n                                                2\n\x0cachieve the audit objectives, and nothing came to our attention during our audit testing to cause\nus to doubt its reliability.\n\nSince our audit would not necessarily disclose all significant matters in the internal control\nstructure, we do not express an opinion on the set of internal controls for these various systems\ntaken as a whole.\n\nThe criteria used in conducting this audit include:\n\xe2\x80\xa2   DHS Office of Cybersecurity and Communications FY 2013 Inspector General Federal\n    Information Security Management Act Reporting Instructions;\n\xe2\x80\xa2   OPM Information Technology Security and Privacy Handbook;\n\xe2\x80\xa2   OPM Information Technology Security FISMA Procedures;\n\xe2\x80\xa2   OPM Security Assessment and Authorization Guide;\n\xe2\x80\xa2   OMB Circular A-130, Appendix III, Security of Federal Automated Information\n    Resources;\n\xe2\x80\xa2   OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of\n    Personally Identifiable Information;\n\xe2\x80\xa2   OMB Memorandum M-11-11: Continued Implementation of Homeland Security Presidential\n    Directive 12;\n\xe2\x80\xa2   E-Government Act of 2002 (P.L. 107-347), Title III, Federal Information Security\n    Management Act of 2002;\n\xe2\x80\xa2   National Institute of Standards and Technology (NIST) Special Publication (SP) 800-12, An\n    Introduction to Computer Security;\n\xe2\x80\xa2   NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Federal Information\n    Systems;\n\xe2\x80\xa2   NIST SP 800-30 Revision 1, Guide for Conducting Risk Assessments;\n\xe2\x80\xa2   NIST SP 800-34 Revision 1, Contingency Planning Guide for Federal Information Systems;\n\xe2\x80\xa2   NIST SP 800-37 Revision 1, Guide for Applying the Risk Management Framework to\n    Federal Information Systems;\n\xe2\x80\xa2   NIST SP 800-39, Managing Information Security Risk;\n\xe2\x80\xa2   NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information\n    Systems;\n\xe2\x80\xa2   NIST SP 800-60, Guide for Mapping Types of Information and Information Systems to\n    Security Categories;\n\xe2\x80\xa2   NIST SP 800-84, Guide to Test, Training, and Exercise Programs for IT Plans and\n    Capabilities;\n\xe2\x80\xa2   Federal Information Processing Standards (FIPS) Publication 199, Standards for Security\n    Categorization of Federal Information and Information Systems;\n\xe2\x80\xa2   FIPS Publication 140-2, Security Requirements for Cryptographic Modules; and\n\xe2\x80\xa2   Other criteria as appropriate.\n\nThe audit was performed by the OIG at OPM, as established by the Inspector General Act of\n1978, as amended. Our audit was conducted from May through September 2013 in OPM\xe2\x80\x99s\nWashington, D.C. office.\n\n\n\n                                                 3\n\x0c                    Compliance with Laws and Regulations\nIn conducting the audit, we performed tests to determine whether OPM\xe2\x80\x99s practices were\nconsistent with applicable standards. While generally compliant, with respect to the items tested,\nOPM\xe2\x80\x99s OCIO and other program offices were not in complete compliance with all standards, as\ndescribed in the \xe2\x80\x9cResults\xe2\x80\x9d section of this report.\n\n\n\n\n                                                4\n\x0c                                          Results\nThe sections below detail the results of our FY 2013 FISMA audit of OPM\xe2\x80\x99s IT Security\nProgram. Many recommendations were issued in prior FISMA audits and are rolled forward\nfrom the 2012 FISMA audit (Report No. 4A-CI-00-12-016).\n\nI.    Information Security Governance\n      Information security governance is the overall framework and supporting management\n      structure and processes that are the foundation of a successful information security\n      program. For many years, we have reported increasing concerns about the state of\n      OPM\xe2\x80\x99s information security governance. In the FY 2007 FISMA report, we issued a\n      material weakness related to the lack of IT policies and procedures. In FY 2009, we\n      expanded the material weakness to include the lack of a centralized security management\n      structure necessary to implement and enforce IT policies.\n\n      We also have growing concerns about OPM\xe2\x80\x99s ability to manage major system\n      development projects and the decentralized nature of the agency\xe2\x80\x99s technical operating\n      environment.\n\n      The sections below provide additional details from the OIG\xe2\x80\x99s review of IT security\n      governance at OPM.\n\n      a) Information security management structure\n\n          Information system security at OPM has historically been managed by individual\n          Designated Security Officers (DSO) that report to the various program offices that\n          own major computer systems. Many of these DSOs are not certified IT security\n          professionals, and are performing DSO duties as collateral responsibility to another\n          full-time position.\n\n          In FY 2011, the OCIO updated its IT security and privacy policies, but information\n          security was still managed by DSOs that were not qualified to implement the new\n          policies. In FY 2012, the OPM Director issued a memo mandating the transfer of IT\n          security duties from the decentralized program office DSOs to a centralized team of\n          Information System Security Officers (ISSO) that report to the OCIO. This change\n          was a major milestone in addressing the material weakness.\n\n          However, as of the end of FY 2013, the centralized ISSO structure has only been\n          partially implemented. The OCIO has filled three ISSO positions and assigned\n          security responsibility for 17 of the agency\xe2\x80\x99s 47 information systems to these\n          individuals. The OCIO has a plan to hire enough ISSOs to manage the security of all\n          47 systems, but this plan continues to be hindered by budget restrictions.\n\n          The existing ISSOs are effectively performing security work for the limited number\n          of systems they manage, but there are still many OPM systems that have not been\n\n\n                                               5\n\x0c   assigned to an ISSO. The findings in this audit report highlight the fact that OPM\xe2\x80\x99s\n   decentralized governance structure continues to result in many instances of non-\n   compliance with FISMA requirements. Specifically, the sections below related to\n   continuous monitoring, contingency planning, and POA&Ms all describe specific\n   weaknesses that could be improved with the full implementation of a centralized\n   security governance structure. Therefore, we are again classifying this issue as a\n   material weakness for FY 2013.\n\n   Recommendation 1 (Rolled-Forward from 2010)\n   We recommend that OPM implement a centralized information security governance\n   structure where all information security practitioners, including designated security\n   officers, report to the Chief Information Security Officer (CISO.) Adequate resources\n   should be assigned to the OCIO to create this structure. Existing designated security\n   officers who report to their program offices should return to their program office\n   duties. The new staff that reports to the CISO should consist of experienced\n   information security professionals.\n\n   OCIO Response:\n   \xe2\x80\x9cA CIO initiated Memo directing the centralization of the security responsibilities\n   of Designated Security Officers (DSO) in the Office of Chief Information Security\n   Officer (CISO) was issued by the OPM Director on August, 2012 with an effective\n   date of October 1, 2012. The CIO has already hired three Information System\n   Security Officers with professional IT security experience and certifications and\n   recruitment of an additional one is in progress for a total of four. The initial set of\n   systems has been transitioned to ISSOs for security management and we expect to\n   have all OPM systems under CISO security management once funding for\n   additional professional security staff becomes available.\xe2\x80\x9d\n\n   OIG Reply:\n   We acknowledge the progress that the OCIO has made in implementing a centralized\n   IT security structure, and will continue to monitor its effectiveness in FY 2014.\n\nb) Systems development lifecycle methodology\n\n   OPM has a history of troubled system development projects. In our opinion, the root\n   cause of these issues relates to the lack of central policy and oversight of systems\n   development. Many system development projects at OPM have been initiated and\n   managed by program offices with limited oversight or interaction with the OCIO.\n   These program office managers do not always have the appropriate background in\n   project management or information technology systems development.\n\n   The OCIO has recently published a new system development lifecycle (SDLC)\n   policy, which is a significant first step in implementing a centralized SDLC\n   methodology at OPM. However, policy alone will not improve the historically weak\n   SDLC management capabilities of OPM.\n\n\n                                        6\n\x0c         The new policy is currently only applicable to OPM\xe2\x80\x99s 11 major IT investments and is\n         not actively enforced on other IT projects. However, it is imperative that the OCIO\n         make it a priority to enforce this new policy to all system development projects. The\n         failure of OPM\xe2\x80\x99s Service Credit system was an example of a system development\n         project that did not meet the criteria of a major investment, but when it failed there\n         were serious consequences for the agency \xe2\x80\x93 not financial, but impactful to\n         stakeholders and embarrassing in terms of media exposure and political scrutiny.\n\n         The new SDLC policy does incorporate several prior OIG recommendations related\n         to a centralized review process of system development projects. We also\n         recommended that the OCIO develop a team with the proper project management and\n         system development expertise to oversee new system development projects. Through\n         this avenue, the OCIO should review SDLC projects at predefined checkpoints, and\n         provide strict guidance to ensure that program office management is following\n         OPM\xe2\x80\x99s SDLC policy and is employing proper project management techniques to\n         ensure a successful outcome for all new system development projects.\n\n         Recommendation 2\n         We recommend that the OCIO develop a plan and timeline to enforce the new SDLC\n         policy to all of OPM\xe2\x80\x99s system development projects.\n\n         OCIO Response:\n         \xe2\x80\x9cThe OPM SDLC is being applied to OPM\xe2\x80\x99s major investment projects. In FY14, a\n         plan with timelines will be developed to enforce the SDLC policy for applicable\n         system development projects.\xe2\x80\x9d\n\n         OIG Reply:\n         We acknowledge the steps that the OCIO is taking to expand the enforcement of the\n         SDLC policy, and reiterate that we believe the policy should be enforced to all OPM\n         IT projects.\n\n         As part of the audit resolution process, we recommend that the OCIO provide OPM\xe2\x80\x99s\n         Internal Oversight and Compliance Office with evidence that it has implemented the\n         audit recommendation. This statement applies to all subsequent recommendations in\n         this report where the OCIO agrees with the recommendation and intends to\n         implement a solution.\n\nII.   Security Assessment and Authorization\n      System certification is a comprehensive assessment that attests that a system\xe2\x80\x99s security\n      controls are meeting the security requirements of that system, and accreditation is the\n      official management decision to authorize operation of an information system and accept\n      its risks. OPM\xe2\x80\x99s process of certifying a system\xe2\x80\x99s security controls is referred to as\n      Security Assessment and Authorization (Authorization.)\n\n\n\n\n                                              7\n\x0c       In FY 2011, the OCIO published updated procedures and templates designed to improve\n       the overall Authorization process and dedicated resources to facilitating system\n       Authorizations. The new process resulted in a noticeable improvement in the agency\xe2\x80\x99s\n       Security Authorization packages and in FY 2012, we observed a continued improvement\n       in the Authorization packages completed under this new process. This improvement has\n       continued through FY 2013, and we believe this is due to the more rigorous review\n       process through which the OCIO is requiring program offices to comply with policies,\n       procedures, and the use of templates.\n\n       We reviewed the full Authorization packages of 15 systems that were subject to an\n       Authorization during FY 2013. The quality of all packages appeared to be an\n       improvement over Authorizations completed in prior years, and the packages present a\n       more uniform approach to IT security.\n\nIII.   Risk Management\n       NIST SP 800-37 Revision 1 \xe2\x80\x9cGuide for Applying the Risk Management Framework to\n       Federal Information Systems\xe2\x80\x9d provides federal agencies with a framework for\n       implementing an agency-wide risk management methodology. The Guide suggests that\n       risk be assessed in relation to the agency\xe2\x80\x99s goals and mission from a three-tiered\n       approach: Tier 1: Organization (Governance); Tier 2: Mission/Business Process\n       (Information and Information Flows); and Tier 3: Information System (Environment of\n       Operation). NIST SP 800-39 \xe2\x80\x9cManaging Information Security Risk \xe2\x80\x93 Organization,\n       Mission, and Information System View\xe2\x80\x9d provides additional details of this three-tiered\n       approach.\n\n       a) Agency-wide risk management\n\n          NIST SP 800-39 states that agencies should establish and implement \xe2\x80\x9cGovernance\n          structures [that] provide oversight for the risk management activities conducted by\n          organizations and include:\n          (i) the establishment and implementation of a risk executive (function);\n          (ii) the establishment of the organization\xe2\x80\x99s risk management strategy including the\n                determination of risk tolerance; and\n          (iii) the development and execution of organization-wide investment strategies for\n                information resources and information security.\xe2\x80\x9d\n\n          In FY 2011, the OCIO organized a Risk Executive Function comprised of several IT\n          security professionals. However, as of the end of FY 2012, the 12 primary elements\n          of the Risk Executive Function as described in NIST SP 800-39 were not all fully\n          implemented. Key elements still missing from OPM\xe2\x80\x99s approach to managing risk at\n          an agency-wide level include: conducting a risk assessment, maintaining a risk\n          registry, and communicating the agency-wide risks down to the system owners.\n          Although the OCIO improved in assessing risk at the individual system level (see\n          Security Assessment and Authorization section II, above), the OCIO was not fully\n          managing risk at an organization-wide level.\n\n\n                                               8\n\x0c         As of FY 2013, no further changes have been implemented to address organization-\n         wide risk.\n\n         Recommendation 3 (Rolled Forward from 2011)\n         We recommend that the OCIO continue to develop its Risk Executive Function to\n         meet all of the intended requirements outlined in NIST SP 800-39, section 2.3.2 Risk\n         Executive (Function).\n\n         OCIO Response:\n         \xe2\x80\x9cWe will continue to assess the Risk Executive Function per NIST Special\n         Publication 800-39 and to explore and make suggestions for implementing this\n         function. The risk executive function will have agency wide authority and\n         responsibility for assessing risk across all OPM Program Offices and to advise\n         senior management on risk management strategies.\xe2\x80\x9d\n\n      b) System specific risk management and annual security controls testing\n\n         NIST SP 800-37 Revision 1 outlines a risk management framework (RMF) that\n         contains six primary steps, including \xe2\x80\x9c(i) the categorization of information and\n         information systems; (ii) the selection of security controls; (iii) the implementation of\n         security controls; (iv) the assessment of security control effectiveness; (v) the\n         authorization of the information system; and (vi) the ongoing monitoring of security\n         controls and the security state of the information system.\xe2\x80\x9d\n\n         The OCIO has implemented the six step RMF into its system-specific risk\n         management activities through the new Authorization process. In addition, OPM\n         policy requires each major information system to be subject to routine security\n         controls testing.\n\nIV.   Configuration Management\n      The sections below detail the controls that the OCIO has in place to manage the technical\n      configuration of OPM servers and workstations.\n\n      a) Agency-wide security configuration policy\n\n         OPM\xe2\x80\x99s Information Security and Privacy Policy Handbook contains policies and\n         procedures related to agency-wide configuration management. The handbook\n         requires the establishment of secure baseline configurations and the monitoring and\n         documenting of all configuration changes.\n\n      b) Configuration baselines\n\n         In FY 2013, OPM put forth significant effort to document and implement new\n         baseline configurations for critical applications, servers, and workstations. At the\n\n\n\n                                               9\n\x0c   end of the fiscal year, the OCIO had established baselines and/or build sheets for the\n   following operating systems:\n\n   \xe2\x80\xa2   Windows Internet Explorer 8,\n   \xe2\x80\xa2   Windows XP,\n   \xe2\x80\xa2   Windows 7, and\n   \xe2\x80\xa2   Windows 2008 R2.\n\n   The OCIO is currently developing new baselines for                              .\n\n   NIST SP 800-53 Revision 3 control CM-2 requires agencies to develop, document,\n   and maintain a current baseline configuration of the information system. A baseline\n   should serve as a formally approved standard outlining how to securely configure\n   various operating platforms. Without an approved baseline, there is no standard\n   against which actual configuration settings can be measured, increasing the risk that\n   insecure systems exist in the operating environment.\n\n   Recommendation 4\n   We recommend that the OCIO develop and implement a baseline configuration for\n                                     .\n\n   OCIO Response:\n   \xe2\x80\x9cWe are working to standardize operating systems and applications throughout the\n   environment. Over the past year, all Windows and Linux operating systems, as well\n   as Microsoft SQL have been given approved baseline images. We will continue to\n   improve our processes and develop and implement configuration baselines for\n                                    .\xe2\x80\x9d\n\nc) United States Government Computer Baseline Configuration\n\n   OPM user workstations are built with a standard image that is compliant with the\n   United States Government Baseline Configuration. Any deviations deemed necessary\n   by the agency from the configurations are documented within each operating\n   platform\xe2\x80\x99s baseline configuration.\n\n   We conducted an automated scan of the Windows 7 standard image to independently\n   verify compliance with the appropriate guideline and OPM\xe2\x80\x99s baseline. Nothing came\n   to our attention to indicate that there are weaknesses in OPM\xe2\x80\x99s methodology to\n   securely configure user workstations.\n\nd) Compliance with baselines\n\n   The OCIO uses automated scanning tools to conduct routine compliance audits on the\n   majority of operating platforms used in OPM\xe2\x80\x99s server environment. These tools\n   compare the actual configuration of servers and workstations to the approved baseline\n\n\n                                       10\n\x0c                  In FY 2013, the OCIO implemented a process to routinely scan \xc2\xad\n                              However these scans are not perf01med using an\n                                                                       because, as mentioned above,\n                                         ,._,.w,.... v ............., are in development.\n\n   NIST SP 800-53 Revision 3 control CM-3 requires agencies to audit activities\n   associated with infonnation system configurations.\n\n   Recommendation 5\n   We recommend that the OCIO conduct routine compliance audits on\n                 with the OPM baseline configuration once they have\n             approved.\n\n   OC/0 Response:\n   "We concur with this recommendation and will implement the recommendation on\n   the approved baseline configuration. "\n\ne) Software and hardware change management\n\n   The OCIO has developed a Configuration Change Control Policy that outlines a\n   f01mal process to approve and document all computer software and hardware\n   changes. The OCIO utilizes a software application to manage and maintain all\n   computer software and hardware change control documentation.\n\n   We reviewed evidence indicating that the OCIO is adequately following this policy\n   and is thoroughly documenting all system changes. Nothing came to our attention to\n   indicate that there are weaknesses in OPM\'s change management process.\n\nf) Vulnerability scanning\n\n   OPM \' s Network Management Group (NMG) perfonns monthly vulnerability scans of\n   all servers using automated scanning tools. A daily security advis01y rep01t is\n   generated that details the m ost vulnerable servers and workstations, and these rep01ts\n   ar e sent to system owners so they can remediate the identified weaknesses.\n\n   NMG has documented accepted weaknesses for OPM user workstations; however, it\n   has not fully documented weaknesses for servers or databases (i.e., vulnerability scan\n   findings that are justified by a business need). This recommendation remains open\n   from FY 2011 and is rolled f01ward in FY 2013.\n\n   Recommendation 6 (Rolled Fonvard from 2011)\n   We recommend that the OCIO document " accepted" weaknesses identified in\n   vulnerability scans.\n\n\n\n\n                                           11 \n\n\x0c        OCIO Response:\n        \xe2\x80\x9cWe concur with this recommendation and will implement the recommendation in\n        FY-14.\xe2\x80\x9d\n\n     g) Patch management\n\n        The OCIO has implemented a process to apply operating system patches on all\n        devices within OPM\xe2\x80\x99s network on a weekly basis. In FY 2013, the OCIO began\n        utilizing a third party patching software management program to manage and\n        maintain all non-operating system software.\n\n        We conducted vulnerability scans on a sample of servers and determined that servers\n        are appropriately patched. Nothing came to our attention to indicate that there are\n        weaknesses in OPM\xe2\x80\x99s patch management process.\n\nV.   Incident Response and Reporting\n     OPM\xe2\x80\x99s \xe2\x80\x9cIncident Response and Reporting Guide\xe2\x80\x9d outlines the responsibilities of OPM\xe2\x80\x99s\n     Situation Room and documents procedures for reporting all IT security events to the\n     appropriate entities. We evaluated the degree to which OPM is following internal\n     procedures and FISMA requirements for reporting security incidents internally, to the\n     United States Computer Emergency Readiness Team (US-CERT), and to appropriate law\n     enforcement authorities.\n\n     a) Identifying and reporting incidents internally\n\n        OPM\xe2\x80\x99s Incident Response and Reporting Guide requires any user of the agency\xe2\x80\x99s IT\n        resources to immediately notify OPM\xe2\x80\x99s Situation Room when IT security incidents\n        occur. OPM reiterates the information provided in the Incident Response and\n        Reporting Guide in an annual mandatory IT security and privacy awareness training\n        course. In addition, OPM also uses three different software tools to prevent and\n        detect intrusions and malware in the agency\xe2\x80\x99s network.\n\n        The OCIO has processes in place to quickly respond to all reported security incidents.\n        Our FY 2012 FISMA report indicated that there were several incidents in that fiscal\n        year that were not appropriately reported to the Situation Room. In response, the\n        OCIO provided documentation indicating that it had improved the annual incident\n        response training. This training appears to have improved incident response\n        reporting, as we are unaware of any incidents that were not appropriately reported in\n        FY 2013.\n\n     b) Reporting incidents to US-CERT and law enforcement\n\n        OPM\xe2\x80\x99s Incident Response and Reporting policy states that OPM\'s Situation Room is\n        responsible for sending incident reports to US-CERT on security incidents. OPM\n        notifies US-CERT within one hour of a reportable security incident occurrence.\n\n\n                                            12\n\x0c         The Incident Response and Reporting policy also states that security incidents should\n         be reported to law enforcement authorities, where appropriate. The OIG\xe2\x80\x99s Office of\n         Investigations is part of the incident response notification distribution list, and is\n         notified when security incidents occur.\n\n      c) Correlating and monitoring security incidents\n\n         OPM owns a software product with the technical ability to compare and correlate\n         security incidents over time. However, the correlation features of these tools are not\n         being fully utilized at this time. This tool receives event data from approximately 80\n         percent of all major OPM systems. Furthermore, OPM does not have a consistent and\n         unified process to monitor and analyze all security incidents. Some incidents cannot\n         be fully investigated due to inconsistent logging practices across systems, and\n         inefficiencies created by program offices running separate monitoring tools on their\n         systems.\n\n         The OCIO\xe2\x80\x99s NMG is in the process of establishing an Enterprise Network Security\n         Operations Center (ENSOC) that will provide continuous centralized support for\n         OPM\xe2\x80\x99s security incident prevention/management, performance analysis, fault\n         resolution, maintenance coordination, configuration management, security\n         management, system monitoring, network monitoring, alert escalation, problem\n         resolution bridge coordination, and incident response. Although we agree that the\n         proposed ENSOC will greatly improve OPM\xe2\x80\x99s incident management capabilities and\n         overall security of the agency, the OCIO continues to face resource limitations that\n         hinder the full implementation of the ENSOC.\n\n         Recommendation 7 (Rolled Forward from 2012)\n         We recommend that the OCIO establish a centralized network security operations\n         center with the ability to monitor security events for all major OPM systems.\n\n         OCIO Response:\n         \xe2\x80\x9cA centralized monitoring center is established with first level alerting and\n         monitoring for the servers, and network appliances within the major OPM sites.\n         Work has begun on incorporating application and database monitoring and\n         compliance. We will continue to evaluate and look at cost effective ways to\n         implement this recommendation.\xe2\x80\x9d\n\nVI.   Security Training\n      FISMA requires all government employees and contractors to take IT security awareness\n      training on an annual basis. In addition, employees with IT security responsibility are\n      required to take additional specialized training.\n\n\n\n\n                                             13\n\x0c     a) IT security awareness training\n\n        The OCIO provides annual IT security and privacy awareness training to all OPM\n        employees through an interactive web-based course. The course introduces\n        employees and contractors to the basic concepts of IT security and privacy, including\n        topics such as the importance of information security, security threats and\n        vulnerabilities, viruses and malicious code, privacy training, peer-to-peer software,\n        and the roles and responsibilities of users.\n\n        Over 98 percent of OPM\xe2\x80\x99s employees and over 99 percent of contractors completed\n        the security awareness training course in FY 2013.\n\n     b) Specialized IT security training\n\n        OPM employees with significant information security responsibilities are required to\n        take specialized security training in addition to the annual awareness training.\n\n        The OCIO has developed a table outlining the security training requirements for\n        specific job roles. The OCIO uses a spreadsheet to track the security training taken\n        by employees that have been identified as having security responsibility. Of\n        employees with significant security responsibilities, 96 percent completed specialized\n        IT security training in FY 2013.\n\nVII. Plan of Action and Milestones\n     A POA&M is a tool used to assist agencies in identifying, assessing, prioritizing, and\n     monitoring the progress of corrective efforts for IT security weaknesses. The sections\n     below detail OPM\xe2\x80\x99s effectiveness in using POA&Ms to track the agency\xe2\x80\x99s security\n     weaknesses.\n\n     a) POA&Ms incorporate all known IT security weaknesses\n\n        The OIG FY 2012 FISMA audit contained 18 audit recommendations; we verified\n        that all 18 recommendations were appropriately incorporated into the OCIO master\n        POA&M.\n\n        Although only 34 of OPM\xe2\x80\x99s 47 major systems provided the OIG with annual security\n        controls tests (see section X, below), we were able to verify that all security\n        weaknesses identified during these tests were incorporated into the appropriate\n        system\xe2\x80\x99s POA&M.\n\n     b) Prioritize Weaknesses\n\n         Each program office at OPM is required to prioritize the security weaknesses on their\n         POA&Ms to help ensure significant IT issues are addressed in a timely manner. We\n\n\n\n\n                                            14\n\x0c   verified the POA&Ms that were provided did identify and prioritize each security\n   weakness.\n\nc) Effective remediation plans and adherence to remediation deadlines\n\n   All system owners are required to create action steps (milestones) to effectively\n   remediate specific weaknesses identified on POA&Ms. Our review of the POA&Ms\n   indicated that system owners are appropriately listing milestones and target\n   completion dates on their POA&Ms.\n\n   However, our review also indicated that many system owners are not meeting the\n   self-imposed remediation deadlines listed on the POA&Ms. Of OPM\xe2\x80\x99s 47 major\n   systems, 22 have POA&M items that are greater than 120 days overdue. We issued\n   an audit recommendation in FY 2012 related to overdue POA&M items. The\n   recommendation was closed during this fiscal year because the OCIO provided\n   updated corrective action plans for multiple systems. However, we are re-issuing the\n   recommendation because overdue POA&M items now exist for nearly half of OPM\n   systems.\n\n   Recommendation 8\n   We recommend that the OCIO and system owners develop formal corrective action\n   plans to remediate all POA&M weaknesses that are over 120 days overdue.\n\n   OCIO Response:\n   \xe2\x80\x9cThe CIO dedicated resources to this task and has successfully closed a majority of\n   POA&Ms that are over 120 days old and will continue to work with program offices\n   to reduce or close those that are outstanding and to develop formal Corrective\n   Action Plans. Most POA&Ms that are over 120 days have dependencies such as\n   funding that is not available or coordination issues with external entities who often\n   are not ready to implement the required changes.\xe2\x80\x9d\n\n   OIG Reply:\n   We acknowledge that resource limitations will often impact the amount of time\n   required to address a system weakness. However, the remediation deadlines on the\n   POA&M\xe2\x80\x99s are self-imposed and should be reasonable to meet. Additional training\n   for systems owners on establishing appropriate POA&M deadlines may help resolve\n   this issue.\n\nd) Identifying resources to remediate weaknesses\n\n   We noted that the owners of 10 systems have not identified the resources needed to\n   address POA&M weaknesses, as required by OPM\xe2\x80\x99s POA&M policy.\n\n\n\n\n                                      15\n\x0c        Recommendation 9 (Rolled Forward from 2012)\n        We recommend that all POA&Ms list the specific resources required to address each\n        security weakness identified.\n\n        OCIO Response:\n        \xe2\x80\x9cThis recommendation has been largely implemented for program offices with\n        open POA&Ms. We will continue to work with program offices to ensure that the\n        \xe2\x80\x98resources required\xe2\x80\x99 for POA&Ms are identified and documented.\xe2\x80\x9d\n\n     e) OCIO tracking and reviewing POA&M activities on a quarterly basis\n\n         System owners are required to submit a POA&M to the OCIO on a quarterly basis.\n         In addition, the OCIO requires program offices to provide the evidence, or \xe2\x80\x9cproof of\n         closure,\xe2\x80\x9d that security weaknesses have been resolved before officially closing the\n         related POA&M. When the OCIO receives a proof of closure document from the\n         program offices for a POA&M item, an OCIO employee will judgmentally review\n         the documentation to determine whether or not the evidence provided was\n         appropriate.\n\n         We selected one closed POA&M item from each of 10 OPM systems and reviewed\n         the proof of closure documentation provided by the program offices. The 10 systems\n         were judgmentally selected from the 47 OPM systems. We determined that adequate\n         proof of closure was provided for all 10 systems tested. The results of the sample\n         test were not projected to the entire population.\n\nVIII. Remote Access Management\n     OPM has implemented policies and procedures related to authorizing, monitoring, and\n     controlling all methods of accessing the agency\xe2\x80\x99s network resources from a remote\n     location. In addition, OPM has issued agency-wide telecommuting policies and\n     procedures, and all employees are required to sign a Rules of Behavior document that\n     outlines their responsibility for the protection of sensitive information when working\n     remotely.\n\n     OPM utilizes a Virtual Private Network (VPN) client to facilitate secure remote access to\n     the agency\xe2\x80\x99s network environment. The OPM VPN requires the use of an individual\xe2\x80\x99s\n     PIV card and password authentication to uniquely identify users. The OIG has reviewed\n     the VPN access list to ensure that there are no shared accounts and that each user account\n     has been tied to an individual. The agency maintains logs of individuals who remotely\n     access the network, and the logs are reviewed on a monthly basis for unusual activity or\n     trends.\n\n     Although there are still a small portion of authorized network devices that are not\n     compliant with PIV cards (e.g., iPads), these devices still require multi-factor\n\n\n\n\n                                             16\n\x0c      authentication for remote access through the use of RSA tokens and password\n      authentication .\n\n                                                      recJuureiJaerlt that a remote access session\n                                                                   We connected workstations to\n                                                                  neither VPN session was\n                                              1s m     process of conducting research on\n                                 to mitigate this issue and believes this is a major flaw in the\n      vendor\'s design.\n\n      Recommendation 10 (Rolled Forward from 2012)\n      We recommend the OCIO configure the VPN servers to\n\n\n      OC/0 Response:\n      "All technological controls are in place and we believe there is a flaw in a vendor\'s\n      design that will require an out ofbandpatch to repair. We have na"owed the problem\n      to a fault within the UDP connection to the client and we are working with the vendor,\n      Cisco Systems to get this resolved. "\n\nIX.   Identity and Access Management\n      The following sections detail OPM\'s accmmt and identity m anagement program.\n\n      a) Policies for account and identity management\n\n         OPM m aintains policies and procedures for agency-wide account and identity\n         management within the OCIO Infotmation Security and Privacy Policy Handbook.\n         The policies contain procedures for creating user accounts with the appropriate level\n         of access as well as procedures for removing access for tetminated employees.\n\n      b) Terminated employees\n\n         OPM maintains policies related to management of user accounts for its local area\n         network (LAN) and its mainframe enviromnents. Both policies contain procedures\n         for creating user accounts with the appropriate level of access as well as procedures\n         for removing access for tetminated employees.\n\n         We conducted an access test comparing the cunent LAN active user list against a list\n         oftetminated employees from the past year. Nothing came to our attention to\n         indicate that there are weaknesses in OPM \'s access tetmination management process.\n\n\n\n\n                                              17 \n\n\x0c     c) Multi-factor authentication with PIV\n\n        OMB Memorandum M-11-11 requires all federal information systems to be upgraded\n        to use PIV credentials for multi-factor authentication by the beginning of FY 2012.\n        In addition, the memorandum stated that all new systems under development must be\n        PIV compliant prior to being made operational, and that agencies must be compliant\n        with the memorandum prior to using technology refresh funds to complete other\n        activities.\n\n        In FY 2012, the OCIO began an initiative to require PIV authentication to access the\n        agency\xe2\x80\x99s network. As of the end of FY 2013, 30 percent of OPM workstations\n        require PIV authentication for access to the OPM network. However, none of the\n        agency\xe2\x80\x99s 47 major applications require PIV authentication.\n\n        Recommendation 11 (Rolled Forward from 2012)\n        We recommend that the OCIO meet the requirements of OMB M-11-11 by upgrading\n        its major information systems to require multi-factor authentication using PIV\n        credentials.\n\n        OCIO Response:\n        \xe2\x80\x9cWe have developed and are in the process of implementing plans for multi-factor\n        PIV authentication for compliance with OMB M-11-11. A major segment of the\n        users on our network infrastructure are using PIV authentication. In FY-14 we\n        will continue to work with program offices to implement PIV authentication for\n        major systems.\xe2\x80\x9d\n\n     d) Unauthenticated network devices\n\n        In prior FISMA audits, we have recommended that the OCIO implement an\n        automated process to detect non-approved devices connected to OPM\xe2\x80\x99s network. The\n        OCIO has purchased a Network Access Controller (NAC) that will govern access to\n        network resources. The NAC has the ability to identify all devices on the network\n        and deny access to unauthenticated devices.\n\n        Nothing came to our attention to indicate that there are weaknesses in OPM\xe2\x80\x99s controls\n        over unauthenticated devices.\n\nX.   Continuous Monitoring Management\n     The following sections detail OPM\xe2\x80\x99s controls related to continuous monitoring of the\n     security state of its information systems.\n\n\n\n\n                                            18\n\x0ca) Continuous monitoring policy and procedures\n\n   OPM\xe2\x80\x99s Information Security and Privacy Policy Handbook states that the security\n   controls of all systems must be continuously monitored and assessed to ensure\n   continued effectiveness. In FY 2012, the OCIO published an addendum to the\n   Information Security and Privacy Policy which states that it is the ISSO/DSOs\n   responsibility to assess all security controls in an information system. The addendum\n   also states that continuous monitoring security reports must be provided to ITSP at least\n   semiannually.\n\n   As stated in section I above, the ISSO function has not been fully established at OPM.\n   Our FY 2012 FISMA report stated that many of the current DSOs do not have the\n   technical skills or the resources required to adequately monitor the information\n   security controls of their systems. Therefore, we continue to believe that OPM\xe2\x80\x99s\n   continuous monitoring policies and procedures cannot be adequately implemented\n   until the agency\xe2\x80\x99s centralized ISSO function has been fully established.\n\nb) Continuous monitoring strategy\n\n   The OCIO developed a concept of operations document and a continuous monitoring\n   program implementation \xe2\x80\x9croadmap\xe2\x80\x9d that describes the stages and timeline for\n   implementing a full continuous monitoring program at OPM. While the initial stages\n   of implementation began in FY 2012, full implementation of the plan is not scheduled\n   to be completed until FY 2015. The OCIO achieved the FY 2013 milestones outlined\n   in the roadmap which included semiannual reporting for all OPM-operated systems.\n   The next stage in the OCIO\xe2\x80\x99s plan involves quarterly submissions for High impact\n   systems, more frequent controls testing for all systems, and further implementation of\n   automated tools. Implementation of this stage is scheduled to be completed during\n   FY 2014.\n\n   Recommendation 12\n   We recommend that the OCIO expand its continuous monitoring program to include\n   quarterly submissions for High impact systems, more frequent controls testing for all\n   systems, and further implementation of automated tools as outlined in the Information\n   Security Continuous Monitoring Roadmap.\n\n   OCIO Response:\n   \xe2\x80\x9cWe have made significant progress implementing Continuous Monitoring at OPM\n   and will continue to expand the program over a 2 year period into FY-15 subject to\n   availability of funds. We plan to implement this specific set of recommendations\n   from the draft report.\xe2\x80\x9d\n\nc) Annual assessment of security controls\n\n   OPM policy requires all OPM system owners to submit evidence of continuous\n   monitoring activities at least semiannually (in March and September).\n\n\n                                         19\n\x0c         We requested the security test results for all OPM-operated systems for both\n         submissions in order to review them for quality and consistency. However, we were\n         only provided testing documentation for 20 out of the 26 major OPM-operated\n         systems.\n\n         At this time, security controls testing for contractor-operated systems is still only\n         required annually. A review of contractor system security control testing (see section\n         XII, below) indicates that only 14 out of 21 contractor-operated systems were tested\n         in this fiscal year.\n\n         Between contractor- and agency-operated information systems, only 34 out of 47\n         systems were subject to adequate security controls testing in FY 2013.\n         Failure to continuously monitor and assess security controls increases the risk that\n         agency officials are unable to make informed judgments to appropriately mitigate\n         risks to an acceptable level.\n\n         It has been over six years since all OPM systems were subject to an adequate annual\n         security controls test. OPM\xe2\x80\x99s decentralized approach to IT security has traditionally\n         placed responsibility on the various program offices to test the security controls of\n         their systems. The OCIO\xe2\x80\x99s lack of authority over these program offices has\n         contributed to the inadequate security controls testing of the agency\xe2\x80\x99s information\n         systems. We are optimistic that the quality and consistency of security controls tests\n         will improve with the full implementation of the OCIO\xe2\x80\x99s centralized ISSO structure\n         and with the shift to semi-annual continuous monitoring submissions.\n\n         Recommendation 13 (Rolled Forward from 2008)\n         We recommend that OPM ensure that an annual test of security controls has been\n         completed for all systems.\n\n         OCIO Response:\n         \xe2\x80\x9cWe continue to make progress with security controls testing in FY-2013 and\n         expect to have test plans and results for all systems in FY-2014. Security controls\n         testing will be a major part of our continuous monitoring program that is currently\n         being implemented.\xe2\x80\x9d\n\nXI.   Contingency Planning\n      OPM\xe2\x80\x99s Information Security Privacy and Policy Handbook requires a contingency plan\n      to be in place for each information system and that each system\xe2\x80\x99s contingency plan be\n      tested on an annual basis. The sections below detail our review of contingency planning\n      activity in FY 2013.\n\n\n\n\n                                              20\n\x0ca) Documenting contingency plans of individual OPM systems\n\n   We verified that contingency plans exist for all 47 production systems on OPM\xe2\x80\x99s\n   master system inventory.\n\n   In prior OIG FISMA audits, we noted that the quality and consistency of contingency\n   plans varied greatly between OPM\xe2\x80\x99s various systems. As a result, the OCIO\n   developed a contingency plan template that all system owners are now required to\n   use. The new template closely follows the guidance of NIST SP 800-34,\n   Contingency Planning Guide for Federal Information Systems.\n\nb) Testing contingency plans of individual OPM systems\n\n   OPM\xe2\x80\x99s Information Security Privacy and Policy Handbook requires that the\n   contingency plan for each information system be tested at least annually using\n   information system specific tests and exercises. We received evidence that\n   contingency plans were tested for only 40 of 47 systems in FY 2013.\n\n   Of the contingency plan tests we did receive, we continue to notice inconsistency in\n   the quality of the documentation produced for various OPM systems. One of the\n   main areas of inconsistency relates to the analysis or \xe2\x80\x9clessons learned\xe2\x80\x9d section of the\n   report. NIST SP 800-84, Guide to Test, Training, and Exercise Programs for IT Plans\n   and Capabilities, states that an after action report should \xe2\x80\x9cinclude background\n   information about the exercise, documented observations made by the facilitator and\n   data collector, and recommendations for enhancing the IT plan that was exercised.\xe2\x80\x9d\n\n   Several after action reports we reviewed did not include summarized results or\n   lessons learned. Without a thoroughly documented after action report, system owners\n   will not know how to improve the contingency plan in order to be better prepared for\n   a disruptive event.\n\n   Recommendation 14 (Rolled Forward from 2008)\n   We recommend that OPM\xe2\x80\x99s program offices test the contingency plans for each\n   system on an annual basis. The contingency plans should be tested for the systems\n   that were not subject to adequate testing in FY 2013 as soon as possible.\n\n   OCIO Response:\n   \xe2\x80\x9cWe will continue making progress working with program offices on contingency\n   plan testing in FY-14. Due to the current shortage of funding for all ISSOs, the\n   CISO must still rely on decentralized DSOs for support to complete the testing.\n   This has caused delays in implementation and coordination.\xe2\x80\x9d\n\nc) Testing contingency plans of OPM general support systems\n\n   Many OPM systems reside on one of the agency\xe2\x80\x99s general support systems. The\n   OCIO typically conducts a full recovery test at the backup location of the Enterprise\n\n\n                                       21\n\x0c        Server Infrastructure general support system (i.e., the mainframe and associated\n        systems) on an annual basis. However, no test was performed in FY 2013 due to\n        planned major changes in OPM\xe2\x80\x99s technical environment. OPM purchased a new\n        mainframe and successfully failed-over all production data and applications from the\n        old mainframe to the new one. However, the fail-over did not take place in the\n        backup location.\n\n        One of OPM\xe2\x80\x99s other major general support system, the LAN/WAN general support\n        system, is not routinely subject to a full functional disaster recovery test. Only select\n        LAN/WAN systems that impact or interface with the mainframe environment are\n        tested annually in conjunction with the mainframe disaster recovery test. Other\n        critical applications such as the email server were successfully tested in FY 2013.\n\n        NIST SP 800-53 Revision 3 states that FIPS 199 \xe2\x80\x9chigh\xe2\x80\x9d systems should be subject to\n        \xe2\x80\x9ca full recovery and reconstitution of the information system to a known state as part\n        of contingency plan testing.\xe2\x80\x9d Without full functional routine testing of all OPM\n        general support systems, there is a risk that OPM systems will not be successfully\n        recovered in the event of a disaster.\n\n        In the FY 2011 FISMA audit report we recommended that the OCIO implement a\n        centralized (agency-wide) approach to contingency plan testing. We were informed\n        that a single synchronized functional test is not feasible due to logistical and resource\n        limitations. However, the intent of the recommendation is to ensure that all elements\n        of the general support systems are subject to a full functional disaster recovery test\n        each year. This recommendation can be remediated if each general support system is\n        subject to a full functional test each year, even if it must be broken into a series of\n        smaller tests.\n\n        Recommendation 15 (Rolled Forward from 2011)\n        We recommend that the OCIO implement and document a centralized (agency-wide)\n        approach to contingency plan testing.\n\n        OCIO Response:\n        \xe2\x80\x9cWe will continue efforts to centralize contingency plan testing in FY-14 with the\n        goal of implementing this recommendation.\xe2\x80\x9d\n\nXII. Contractor Systems\n     We evaluated the methods that the OCIO and various program offices use to maintain\n     oversight of their systems operated by contractors on behalf of OPM.\n\n     1. Contractor system documentation\n\n        OPM\xe2\x80\x99s master system inventory indicates that 21 of the agency\xe2\x80\x99s 47 major\n        applications are operated by a contractor. The OCIO also maintains a separate\n\n\n\n                                             22\n\x0c        spreadsheet documenting interfaces between OPM and contractor-operated systems\n        and the related Interconnection Security Agreements.\n\n     2. Contractor system oversight\n\n        The OPM Information Security and Privacy Policy Addendum states that \xe2\x80\x9cIt is the\n        responsibility of the OPM system owner to ensure systems or services hosted by non-\n        OPM organizations comply with OPM information security and privacy policies.\xe2\x80\x9d\n        The handbook addendum also states that \xe2\x80\x9cOPM System Owners must ensure that an\n        annual security controls assessment is performed by a government employee or an\n        independent third party at the site where contracted information technology services\n        are rendered.\xe2\x80\x9d\n\n        We requested the annual security control tests for contractor-operated systems in\n        order to review them for quality and consistency. However, we were only provided\n        testing documentation for 14 out of the 21 systems (see section X above for the\n        related recommendation. Failure to complete the annual security controls test\n        increases the risk that agency officials are unable to make informed judgments to\n        appropriately mitigate risks to an acceptable level.\n\nXIII. Security Capital Planning\n     NIST SP 800-53 Revision 3, control SA-2, Allocation of Resources, states that an\n     organization needs to determine, document, and allocate the resources required to protect\n     information systems as part of its capital planning and investment control process.\n\n     OPM\xe2\x80\x99s Information Security and Privacy Policy Handbook contains policies and\n     procedures to ensure that information security is addressed in the capital planning and\n     investment process. The OCIO uses the Integrated Data Collection, a replacement to the\n     Exhibit 53B, to record information security resources allocation and submits this\n     information annually to OMB.\n\n     Nothing came to our attention to indicate that OPM does not maintain an adequate capital\n     planning and investment program for information security.\n\nXIV. Follow-up of Prior OIG Audit Recommendations\n\n     All open audit recommendations issued prior to 2012 were rolled forward into one of the\n     recommendations in the FY 2012 OIG FISMA audit report (Report 4A-CI-00-12-016)\n     FY 2012 recommendations that were not remediated by the end of FY 2013 are rolled\n     forward with a new recommendation number in this FY 2013 OIG FISMA audit report.\n\n     The prior sections of this report evaluate the current status of many 2012\n     recommendations. However, there is one additional 2012 recommendation that has not\n     yet been addressed in this report because the related topic was not part of the FY 2013\n     FISMA reporting instructions. The current status of this recommendation is below.\n\n\n                                            23\n\x0ca) 4A-CI-00-12-016 Recommendation 16 (Rolled Forward from 2008)\n   We recommend that OPM continue its efforts to eliminate the unnecessary use of\n   SSNs in accordance with OMB Memorandum M-07-16.\n\n   FY 2013 Status\n   The OCIO has an ongoing plan to reduce and eventually eliminate the unnecessary\n   use of SSNs in its major information systems. However, resource limitations\n   prevented them from completing this task in FY 2013. This recommendation remains\n   open and is rolled forward in FY 2013.\n\n   Recommendation 16 (Rolled Forward from 2008)\n   We recommend that OPM continue its efforts to eliminate the unnecessary use of\n   SSNs in accordance with OMB Memorandum M-07-16.\n\n   OCIO Response:\n   \xe2\x80\x9cSignificant work was done to eliminate the unnecessary use of social security\n   numbers (SSN) including development of a consolidated Action Plan and\n   eliminating them from USAJOBS and the PMF systems. In FY-14, the Privacy\n   Officer will update the action plan and schedule a pilot project with Retirement\n   Services to review business processes to determine how SSNs usage can be reduced.\n   Note that this recommendation requires funding for agency-wide implementation.\xe2\x80\x9d\n\n\n\n\n                                     24\n\x0c                              Major Contributors to this Report\nThis audit report was prepared by the U.S. Office of Personnel Management, Office of Inspector\nGeneral, Information Systems Audits Group. The following individuals participated in the audit\nand the preparation of this report:\n\n\xe2\x80\xa2   Lewis F. Parker, Deputy Assistant Inspector General for Audits\n\xe2\x80\xa2                    , Chief, Information Systems Audits Group\n\xe2\x80\xa2                 Lead IT Auditor\n\xe2\x80\xa2                       , IT Auditor\n\xe2\x80\xa2                   , IT Auditor\n\xe2\x80\xa2                           IT Auditor\n\n\n\n\n                                              25\n\x0c                                                                              Appendix I\n                                                          Status of Prior OIG Audit Recommendations\n\nThe table below outlines the current status of prior audit recommendations issued in FY 2012 by the Office of the Inspector General.\n\nReport No. 4A-CI-00-12-016: FY 2012 Federal Information Security Management Act Audit, issued November 5, 2012\n\n Rec #                      Original Recommendation                                        Recommendation History                     Current Status\n         We recommend that OPM implement a centralized information security\n         governance structure where all information security practitioners,\n         including designated security officers, report to the CISO. Adequate\n         resources should be assigned to the OCIO to create this structure.          Roll-forward from OIG Reports:\n                                                                                                                              OPEN: Rolled-forward as Report\n1        Existing designated security officers who report to their program offices   \xe2\x80\xa2 4A-CI-00-10-019 Recommendation 4 and   4A-CI-00-13-021 Recommendation 1\n         should return to their program office duties. The new staff that reports    \xe2\x80\xa2 4A-CI-00-11-009 Recommendation 2\n         to the CISO should consist of experienced information security\n         professionals.\n\n         We recommend that the OCIO continue to develop its Risk Executive\n         Function to meet all of the intended requirements outlined in NIST SP       Roll-Forward from OIG Report:            OPEN: Rolled-forward as Report\n2\n         800-39, section 2.3.2 Risk Executive (Function).                            \xe2\x80\xa2 4A-CI-00-11-009 Recommendation 6       4A-CI-00-13-021Recommendation 3\n\n         We recommend that the OCIO implement a process to routinely audit\n                        for compliance with the approved OPM baseline                Recommendation new in FY 2012\n3                                                                                                                             CLOSED: 6/20/2013\n         configuration.\n\n         We recommend that the OCIO document \xe2\x80\x9caccepted\xe2\x80\x9d weaknesses                   Roll-Forward from OIG Report:            OPEN: Rolled-forward as Report\n4        identified in vulnerability scans.\n                                                                                     \xe2\x80\xa2 4A-CI-00-11-009 Recommendation 9       4A-CI-00-13-021Recommendation 6\n         We recommend that the OCIO implement a process to timely patch (or\n                                                                                     Recommendation new in FY 2012\n5        remove altogether) third party applications on its servers.                                                          CLOSED: 9/25/2013\n\x0c     We recommend that the OCIO establish a centralized network security\n     operations center with the ability to monitor security events for all                                                   OPEN: Rolled-forward as Report\n6                                                                               Recommendation new in FY 2012\n     major OPM systems.                                                                                                      4A-CI-00-13-021Recommendation 7\n\n     We continue to recommend that the OCIO ensure that all employees           Roll-Forward from OIG Reports:\n     with significant information security responsibility take meaningful and\n7                                                                               \xe2\x80\xa2 4A-CI-00-10-019 Recommendation 16, and     CLOSED 9/26/2013\n     appropriate specialized security training on an annual basis.              \xe2\x80\xa2 4A-CI-00-11-009 Recommendation 10\n     We recommend that the OCIO and system owners develop formal\n                                                                                                                             CLOSED: 2/26/2013\n     corrective action plans to remediate all POA&M weaknesses that are\n8                                                                               Recommendation new in FY 2012                Reissued as 4A-CI-00-13-\n     over 120 days overdue.\n                                                                                                                             021Recommendation 8\n     We recommend that all POA&Ms list the specific resources required to\n                                                                                                                             OPEN: Rolled-forward as Report\n9    address each security weakness identified.                                 Recommendation new in FY 2012\n                                                                                                                             4A-CI-00-13-021Recommendation 9\n     We recommend the OCIO configure the VPN servers to terminate VPN\n                                                                                                                             OPEN: Rolled-forward as Report\n10   sessions after 30 minutes of inactivity.                                   Recommendation new in FY 2012\n                                                                                                                             4A-CI-00-13-021Recommendation 10\n     We recommend that the OCIO meet the requirements of OMB M-11-11\n     by upgrading its major information systems to require multi-factor                                                      OPEN: Rolled-forward as Report\n11                                                                              Recommendation new in FY 2012\n     authentication using PIV credentials.                                                                                   4A-CI-00-13-021Recommendation 11\n\n     We recommend that the OCIO implement an automated process to               Roll-Forward from OIG Reports:\n12   detect unauthenticated network devices.                                    \xe2\x80\xa2 4A-CI-00-10-019 Recommendation 25, and     CLOSED: 9/25/2013\n                                                                                \xe2\x80\xa2 4A-CI-00-11-009 Recommendation 16\n     We recommend that the OCIO expand its continuous monitoring\n     program to include a reporting process at the system\xe2\x80\x90level, and\n13   implement automated tools and metric reporting for OPM as outlined in      Recommendation new in FY 2012                CLOSED: 9/25/2013\n     the Information Security Continuous Monitoring Roadmap\n\n                                                                                Roll-forward from OIG Reports:\n     We recommend that OPM ensure that an annual test of security controls      \xe2\x80\xa2   4A-CI-00-08-022 Recommendation 1,\n                                                                                                                             OPEN: Rolled-forward as Report\n14   has been completed for all systems.                                        \xe2\x80\xa2   4A-CI-00-09-031 Recommendation 6,\n                                                                                                                             4A-CI-00-13-021Recommendation 13\n                                                                                \xe2\x80\xa2   4A-CI-00-10-019 Recommendation 10, and\n                                                                                \xe2\x80\xa2   4A-CI-00-11-009 Recommendation 11\n\x0c15   We recommend that OPM\xe2\x80\x99s program offices test the contingency plans         Roll-forward from OIG Reports:\n     for each system on an annual basis. The contingency plans should be        \xe2\x80\xa2 4A-CI-00-08-022 Recommendation 2,\n                                                                                                                             OPEN: Rolled-forward as Report\n     immediately tested for the eight systems that were not subject to          \xe2\x80\xa2 4A-CI-00-09-031 Recommendation 9,\n                                                                                                                             4A-CI-00-13-021Recommendation 14\n     adequate testing in FY 2012.                                               \xe2\x80\xa2 4A-CI-00-10-019 Recommendation 30, and\n                                                                                \xe2\x80\xa2 4A-CI-00-11-009 Recommendation 19\n16   We recommend that the OCIO implement and document a centralized            Roll-Forward from OIG Report:                OPEN: Rolled-forward as Report\n     (agency-wide) approach to contingency plan testing.                        \xe2\x80\xa2 4A-CI-00-11-009 Recommendation 21          4A-CI-00-13-021Recommendation 15\n17   We recommend that the OPM Information Technology Security and\n     Privacy Handbook be updated to explicitly require contractor-operated\n     systems to be subject to an annual security controls test performed by a   Recommendation new in FY 2012                CLOSED: 2/27/2013\n     government employee or an independent third party. The security\n     controls tests should be documented using OPM\xe2\x80\x99s standard templates.\n18   We recommend that OPM continue its efforts to eliminate the                Roll-forward from OIG Reports:\n     unnecessary use of SSNs in accordance with OMB Memorandum M-               \xe2\x80\xa2   4A-CI-00-08-022 Recommendation 12,\n                                                                                                                             OPEN: Rolled-forward as Report\n     07-16.                                                                     \xe2\x80\xa2   4A-CI-00-09-031 Recommendation 22,\n                                                                                                                             4A-CI-00-13-021Recommendation 16\n                                                                                \xe2\x80\xa2   4A-CI-00-10-019 Recommendation 39, and\n                                                                                \xe2\x80\xa2   4A-CI-00-11-009 Recommendation 28\n\x0cf   \'   \xe2\x80\xa2   t\n\n\n                                                               Appendix II \n\n\n\n                                    UNJTED STATES OFFICE OF PERSONNEL MANAGEMENT \n\n                                                                 Washington, DC 20415 \n\n\n            Chief Infonnntlon\n                 Officer\n\n\n\n\n                                                                                                                       Jl\'lv              {I\n                 MEMORANDUM FOR:\n                                                   \xe2\x80\xa2      J\n                                                              ... \xe2\x80\xa2 \'1111 \xe2\x80\xa2   \xe2\x80\xa2   SYSTEMS AUDIT GROUP                                              I,.., ~ t)\n                                                                                                                                      10       b      \xe2\x80\xa2\n\n                 FROM: \t                        CHUCK SIMPSON\n                                                ACTING, CHIEF INFORMATION OFFICER(J\'J\'\n                                                                                                            ~~l\n                 Subject : \t                    Response to the Federal Information Security Management Act Audit \xc2\xad\n                                                FY2013, Report NO. 4A-CI-00-13-021 \n\n\n\n                Thank you for the opportunity to comment on the subject report. The results provided in the draft report \n\n                consist of a number of recommendations. The recommendations are valuable to our program \n\n                improvement efforts and most of them are generally consistent with our plan. We plan to continue \n\n                making improvements in our security risk management strategy and the OPM IT security program. \n\n\n                In reviewing the draft report, we noticed that recommendation #8 which covers specialized security\n                training was reissued . Additional information was submitted since the draft report was issued showing a\n                specialized training participation rate of94%. We asked for consideration in having recommendation #8\n                removed from the final audit report.\n\n                The CIO\'s responses to the FY-13 Draft FISMA Audit Report are documented below:\n\n                Recommendation 1 !Rolled-Forward from 2010)\n                We r\xc2\xabommend that OPM implement tentralized information security governance\n                structure where all information security practitioners, including designated security\n                officers, report to the CISO. Adequate resources should be assigned to the OCIO to\n                create this structure. Existing designated security offiters who report to their\n                program offices should return to their program office duties. The new staff that\n                reports to the CJSO should consist of experienced information security professionals.\n\n                CIO Resoonse:\n                A CIO initiated Memo directing the centralization of the security responsibilities of Designated Security\n                Officers (DSO) in the Office of Chief Information Security Officer (CISO) was issued by the OPM\n                Director on August, 2012 with an effective date of October 1, 2012. The CIO has already hired three\n                Infonnation System Security Officers with professional IT security experience and certifications and\n                recruitment of an additional one is in progress for a total of four. The initial set ofsystems has been\n                transition to ISSOs for security management and we expect to have all OPM systems under CISO\n                security management once funding for additional professional security staff becomes available.\n\n\n\n                                   R ecrui t. Retain and Honor a World-Class Worlcforce to Serve the American People       -   .usajobs.gov\n\x0cReeommendation 2\nWe recommend that the OCIO develop a plan and timeline to enforce the new SDLC policy to all\nof OPM\'s system development projects.\n\nCIO Re~ponse : \n\nThe OPM SDLC is being applied to OPM\'s major investment projects. In FY14, a plan with timelines \n\nwill be developed to enforce the SDLC policy for applicable system development projects. \n\n\nRecommendation 3 (Rolled-Forward from 20/J)\nWe recommend that the OCIO continue to develop its Risk Executive Function to\nmeet all of the intended requirements outlined in NIST SP 800-39, section 2.3.2 Risk\nExeeutive (Function).\n\nCIO Response :\nWe will continue to assess the Risk Executive Function per NIST Special Publication 800-39 and to\nexplore and make suggestions for implementing this function . The risk executive function will have\nagency wide authority and responsibility for assessing risk across all OPM Program Offices and to\nadvise senior management on risk management strategies.\n\nRecommendation 4\nWe recommend that the OCIO develop and implement a baseline configuration for -\n\n\nCIO Response:\n\nWe are working to standardize operating systems and applications throughout the environment. Over the\npast year, all Windows and Linux operating systems, as well as Microsoft SQL have been given\napproved baseline images. We will continue to                        and develop and implement\nconfiguration baselines for\n\n Resommendation 5\n We recommend that the OCIO conduct routine compliance audits\n-          with the OPM baseline configuration once they bave been review\'ed.\n approved.\n\nCIO Response: \n\nWe concur with this recommendation and will implement the recommendation on the approved baseline \n\nconfiguration. \n\n\nRecommendation 6 (Rolled-Forward from 2011) \n\nWe recommend that the OCIO document "accepted" weaknesses identified in \n\nVulnerability scans. \n\n\nCIO Response: \n\nWe concur with this recommendation and will implement the recommendation in FY-14 . \n\n\x0cRecommendation 7\nWe recommend that the OCIO establish a centralized network security operations\ncenter with the ability to monitor security events for all major OPM systems.\n\nCIO Response :\nA centralized monitoring center is established with first level alerting and monitoring for the servers, and\nnetwork appliances within the major OPM sites. Work has begun on incorporating application and\ndatabase monitoring and compliance. We will continue to evaluate and look at cost effective ways to\nimplement this recommendation.\n\nRecommendation 8 <Rolled-Forward from 2010) \n\nWe continue to recommend that the OCIO ensure that all employees with significant \n\ninformation security responsibility take meaningful and appropriate specialized \n\nsecurity training on an annual basis. \n\n\nCIO Response: \n\nWe have successfully implemented this recommendation and significant improvements were achieved \n\nthis year with a completion rate ofover 94 percent. Additional information was submitted after the draft \n\nreport was pubJished that reflects the most current data. \n\n\nRecommendation 9\nWe recommend that the OCIO and system owners develop formal corrective action\nplans to immediately remediate all POA&M weaknesses that are over 120 days\noverdue.\n\nCIO Response:\n\nThe CIO dedicated resources to this task and has successfully closed a majority of POA&Ms that are\nover 120 days old and will continue to work with program offices to reduce or close those that are\noutstanding and to develop fonnal Corrective Action Plans. Most POA&Ms that are over 120 days have\ndependencies such as funding that is not available or coordination issues with external entities who often\nare not ready to implement the required changes. It is suggested that the word "immediate" be removed\nfrom recommendation 9 since immediate resolution is not feasible.\n\nRecommendation 10\nWe recommend that all POA&Ms list the specific resources required to address each\nsecurity weakness identified.\n\nCIO Response: \n\nThis recommendation has been largely implemented for program offices with open POA&Ms. We wilJ \n\ncontinue to work with program offices to ensure that the "resources required" for POA&Ms are \n\nidentified and documented. \n\n\n\n\n\n                                                     3\n\n\x0c.. \n\n\n\n\n       Recommendation 11\n       We recommend that system owners submit a POA&M to the OCIO for every system on a\n       quarterly basis.\n\n       CIO Response:\n       This recommendation has been implemented and program offices with open POA&Ms have been\n       updating their POA&Ms in the Trusted Agent system on at least a quarterly basis. High system updates\n       are perfonned monthly. The POA&M management process has been automated and we no longer\n       require submission s, instead program offices update their POA&Ms in the Trusted Agent Systems under\n       oversight and guidance from the CISO. Program offices that do not have open POA&Ms are not\n       required to perform POA&M updates. Please let us know if you wish to have a discussion on the\n       POA&M automation process.\n\n       Recommendation 12CRolled-Fonvard from 2012)\n       We recommend the OCIO configure the VPN servers to\n\n\n       CIO Response: \n\n       All technological controls are in place and we believe there is a flaw in a vendor\'s design that will \n\n       require an out of band patch to repair. We have nanowed the problem to a fault within the UDP \n\n       connection to the client and we are working with the vendor, Cisco Systems to get this resolved. \n\n\n       Recommendation 13 <RoUed-Forward 2012) \n\n       We recommend that the OCIO meet the requirements ofOMB M-11-11 by upgradidg \n\n       its major information systems to require multi-factor authentication using PIV \n\n       credentials. \n\n\n       CIO Response:\n       We have developed and are in the process of implementing plans for multi-factor PIV authentication for\n       compliance with OMB M-11-11. A major segment ofthe users on our network infrastructure are using\n       PIV authentication. In FY-14 we will continue to work with program offices to implement PIV\n       authentication for major systems.\n\n       Recommendation 14\n       We recommend that the OCIO expand its continuous monitoring program to include quarterly\n       submissions for High impact systems, more frequent controls testing for all systems, and further\n       implementation of automated tools as outlined in the Information Security Continuous\n       Monitoring Roadmap.\n\n       CIO Resoonse; \n\n       We have made significant progress implementing Continuous Monitoring at OPM and will continue to \n\n       expand the program over a 2 year period into FY-15 subject to availability of funds. We plan to \n\n       implement this specific set of recommendations from the draft report. \n\n\x0c.. . \n\n\n\n\n\n         Recommendation 15 <Rolled forward from 2008) \n\n         We recommend that OPM ensure that an annual test ofsecurity controls has been completed for all \n\n         systems. \n\n\n         CIO Response: \n\n         We continue to make progress with security controls testing in FY-2013 and expect to have test plans \n\n         and results for all systems in FY-2014. Security controls testing will be a major part ofour continuous \n\n         monitoring program that is currently being implemented. \n\n\n         Recommendation 16 <Rolled-Forward from 2008) \n\n         We recommend that OPM\'s program offices test the contingency plans for each system on an \n\n         annual basis. The contingency plans should be immediately tested for the eight systems that were \n\n         not subjed to adequate testing in FY 2013. \n\n\n         CIO Response: \n\n         We will continue making progress working with program offices on contingency plan testing in FY-14. \n\n         Due to the current shortage of funding for all ISSOs, the CISO must still rely on decentralized DSOs for \n\n         support to complete the testing. This has caused delays in implementation and coordination. We ask that \n\n         the wording in this recommendation be changed from requesting Contingency Plans to be "immediately \n\n         tested" to tested as soon as possible. \n\n\n         Recommendation 17 (rolled forward from 2011) \n\n         We recommend that the OCIO implement and document a centralized (agencyMwide) approach to \n\n         contingency plan testing. \n\n\n         CIO Response: \n\n         We will continue efforts to centralize contingency plan testing in FY-14 with the goal of implementing \n\n         this recommendation. \n\n\n         Recommendation 18 (Rolled-Forward from 2008) \n\n         We recommend that OPM continue its efforts to eliminate the unnecessary use of SSNs in \n\n         accordance with OMB Memorandum M-07M16. \n\n\n         CIO Response: \n\n         Significant work was done to eliminate the unnecessary use of social security numbers (SSN) including \n\n         development of a consolidated Action Plan and eliminating them from USAJOBS and the PMF systems. \n\n         In FY-14, the Privacy Officer wilJ update the action plan and schedule a pilot project with Retirement \n\n         Services to review business processes to detennine how SSNs usage can be reduced. Note that this \n\n         recommendation requires funding for agency-wide implementation. \n\n\n\n\n\n                                                             s\n\n\x0c                             Appendix III\n\n\n\n\nInspector General                                  2013\n                                                  Annual FISMA\n                                                     Report\nSection Report\n\n\n\n\n                 Office of Personnel Management\n\x0cSection 1: Continuous Monitoring Management\n1.1      Has the organization established an enterprise-wide continuous monitoring program that assesses the security state of information systems\n         that is consistent with FISMA requirements, OMB policy, and applicable NIST guidelines? Besides the improvement opportunities that may\n         have been identified by the OIG, does the program include the following attributes?\n          Yes\n                  Comments:      The OCIO developed a concept of operations document and a continuous monitoring program implementation \xe2\x80\x9croadmap\xe2\x80\x9d that\n                                 describes the stages and timeline for implementing a full continuous monitoring program at OPM. While the initial stages of\n                                 implementation began in FY 2012, full implementation of the plan is not scheduled to be completed until FY 2015.\n          1.1.1   Documented policies and procedures for continuous monitoring (NIST SP 800-53: CA-7).\n                  Yes\n          1.1.2   Documented strategy and plans for continuous monitoring (NIST SP 800-37 Rev 1, Appendix G).\n                  Yes\n          1.1.3   Ongoing assessments of security controls (system-specific, hybrid, and common) that have been performed based on the approved\n                  continuous monitoring plans (NIST SP 800-53, NIST 800-53A).\n                  No\n                           Comments:       OPM policy requires all owners of OPM-operated systems to submit evidence of continuous monitoring activities at least\n                                           semiannually, and owners of contractor-operated systems to submit evidence of security control testing annually. Between\n                                           contractor and agency-operated information systems, only 34 out of 47 systems were subject to adequate security controls\n                                           testing in FY 2013.\n          1.1.4   Provides authorizing officials and other key system officials with security status reports covering updates to security plans and security\n                  assessment reports, as well as a common and consistent POA&M program that is updated with the frequency defined in the strategy\n                  and/or plans (NIST SP 800-53, 800-53A).\n                  Yes\n1.2      Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s Continuous Monitoring Management Program that was\n         not noted in the questions above.\n          No Current Entries\n                  Comments:      It has been over six years since all OPM systems were subject to an adequate annual security controls test. OPM\xe2\x80\x99s decentralized\n                                 approach to IT security has traditionally placed responsibility on the various program offices to test the security controls of their\n                                 systems. We are optimistic that the quality and consistency of security controls tests will improve with the full implementation of the\n                                 OCIO\xe2\x80\x99s centralized security structure and with the shift to semi-annual continuous monitoring submissions.\n\nOIG Report - Annual 2013                                                                                                                                             Page 1 of 16\n                                                                            For Official Use Only\n\x0c\x0cSection 2: Configuration Management\n          2.1.6    Documented proposed or actual changes to hardware and software configurations.\n                   Yes\n          2.1.7    Process for timely and secure installation of software patches.\n                   Yes\n          2.1.8    Software assessing (scanning) capabilities are fully implemented (NIST SP 800-53: RA-5, SI-2).\n                   Yes\n          2.1.9    Configuration-related vulnerabilities, including scan findings, have been remediated in a timely manner, as specified in organization\n                   policy or standards. (NIST SP 800-53: CM-4, CM-6, RA-5, SI-2)\n                   Yes\n          2.1.10   Patch management process is fully developed, as specified in organization policy or standards. (NIST SP 800-53: CM-3, SI-2).\n                   Yes\n2.2      Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s Configuration Management Program that was not noted in\n         the questions above.\n          No Current Entries\n\nSection 3: Identity and Access Management\n3.1      Has the organization established an identity and access management program that is consistent with FISMA requirements, OMB policy, and\n         applicable NIST guidelines and which identifies users and network devices? Besides the improvement opportunities that have been identified\n         by the OIG, does the program include the following attributes?\n          Yes\n          3.1.1    Documented policies and procedures for account and identity management (NIST SP 800-53: AC-1).\n                   Yes\n          3.1.2    Identifies all users, including Federal employees, contractors, and others who access organization systems (NIST SP 800-53, AC-2).\n                   Yes\n          3.1.3    Identifies when special access requirements (e.g., multi-factor authentication) are necessary.\n                   Yes\n\n\n\n\nOIG Report - Annual 2013                                                                                                                                   Page 3 of 16\n                                                                            For Official Use Only\n\x0cSection 3: Identity and Access Management\n          3.1.4    If multi-factor authentication is in use, it is linked to the organization\'s PIV program where appropriate (NIST SP 800-53, IA-2).\n                   No\n                            Comments:       See note in 3.1.5.\n          3.1.5    Organization has planned for implementation of PIV for logical access in accordance with government policies (HSPD 12, FIPS 201,\n                   OMB M-05-24, OMB M-07-06, OMB M-08-01, OMB M-11-11).\n                   No\n                            Comments:       In FY 2012, the OCIO began an initiative to require PIV authentication to access the agency\xe2\x80\x99s network. As of the end of\n                                            FY 2013, 30 percent of OPM workstations require PIV authentication for access to the OPM network. However, none of\n                                            the agency\xe2\x80\x99s 47 major applications require PIV authentication.\n          3.1.6    Organization has adequately planned for implementation of PIV for physical access in accordance with government policies (HSPD 12,\n                   FIPS 201, OMB M-05-24, OMB M-07-06, OMB M-08-01, OMB M-11-11).\n                   Yes\n          3.1.7    Ensures that the users are granted access based on needs and separation-of-duties principles.\n                   Yes\n          3.1.8    Identifies devices with IP addresses that are attached to the network and distinguishes these devices from users (For example: IP\n                   phones, faxes, printers are examples of devices attached to the network that are distinguishable from desktops, laptops or servers that\n                   have user accounts).\n                   Yes\n          3.1.9    Identifies all user and non-user accounts. (Refers to user accounts that are on a system. Data user accounts are created to pull generic\n                   information from a database or a guest/anonymous account for generic login purposes. They are not associated with a single user or a\n                   specific group of users.)\n                   Yes\n          3.1.10   Ensures that accounts are terminated or deactivated once access is no longer required.\n                   Yes\n          3.1.11   Identifies and controls use of shared accounts.\n                   Yes\n\n\n\n\nOIG Report - Annual 2013                                                                                                                                          Page 4 of 16\n                                                                            For Official Use Only\n\x0cSection 3: Identity and Access Management\n3.2      Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s Identity and Access Management Program that was not\n         noted in the questions above.\n          No Current Entries\n\nSection 4: Incident Response and Reporting\n4.1      Has the organization established an incident response and reporting program that is consistent with FISMA requirements, OMB policy, and\n         applicable NIST guidelines? Besides the improvement opportunities that may have been identified by the OIG, does the program include the\n         following attributes?\n          Yes\n          4.1.1   Documented policies and procedures for detecting, responding to, and reporting incidents (NIST SP 800-53: IR-1).\n                  Yes\n          4.1.2   Comprehensive analysis, validation and documentation of incidents.\n                  Yes\n          4.1.3   When applicable, reports to US-CERT within established timeframes (NIST SP 800-53, 800-61, and OMB M-07-16, M-06-19).\n                  Yes\n          4.1.4   When applicable, reports to law enforcement within established timeframes (NIST SP 800-61).\n                  Yes\n          4.1.5   Responds to and resolves incidents in a timely manner, as specified in organization policy or standards, to minimize further damage\n                  (NIST SP 800-53, 800-61, and OMB M-07-16, M-06-19).\n                  Yes\n          4.1.6   Is capable of tracking and managing risks in a virtual/cloud environment, if applicable.\n                  Yes\n                           Comments:       OPM has incident response policies and procedures that govern all systems, including those that reside in a cloud.\n                                           However, OPM\'s master system inventory does not document which systems reside in a cloud.\n\n\n\n\nOIG Report - Annual 2013                                                                                                                                        Page 5 of 16\n                                                                            For Official Use Only\n\x0cSection 4: Incident Response and Reporting\n          4.1.7   Is capable of correlating incidents.\n                  No\n                            Comments:       OPM owns a software product with the technical ability to compare and correlate security incidents over time. However,\n                                            the correlation features of these tools are not being fully utilized at this time. This tool receives event data from approximately\n                                            80 percent of all major OPM systems. Furthermore, OPM does not have a consistent and unified process to monitor and\n                                            analyze all security incidents. Some incidents cannot be fully investigated due to inconsistent logging practices across\n                                            systems, and inefficiencies created by program offices running separate monitoring tools on their systems.\n          4.1.8   Has sufficient incident monitoring and detection coverage in accordance with government policies (NIST SP 800-53, 800-61; OMB\n                  M-07-16, M-06-19).\n                  Yes\n4.2      Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s Incident Management Program that was not noted in the\n         questions above.\n          No Current Entries\n\nSection 5: Risk Management\n5.1      Has the organization established a risk management program that is consistent with FISMA requirements, OMB policy, and applicable NIST\n         guidelines? Besides the improvement opportunities that may have been identified by the OIG, does the program include the following\n         attributes?\n          No\n                  Comments:       In FY 2011, the OCIO organized a Risk Executive Function comprised of several IT security professionals. However, as of the end\n                                  of FY 2012, the 12 primary elements of the Risk Executive Function as described in NIST SP 800-39 were not all fully implemented.\n                                  Key elements still missing from OPM\xe2\x80\x99s approach to managing risk at an agency-wide level include: conducting a risk assessment,\n                                  maintaining a risk registry, and communicating the agency-wide risks down to the system owners. Although the OCIO improved in\n                                  assessing risk at the individual system level (see Security Assessment and Authorization section II, above), the OCIO was not fully\n                                  managing risk at an organization-wide level. As of FY 2013, no further changes have been implemented to address organization-wide\n                                  risk.\n          5.1.1   Documented policies and procedures for risk management, including descriptions of the roles and responsibilities of participants in this\n                  process.\n                  Yes\n\n\nOIG Report - Annual 2013                                                                                                                                                 Page 6 of 16\n                                                                              For Official Use Only\n\x0cSection 5: Risk Management\n          5.1.2    Addresses risk from an organization perspective with the development of a comprehensive governance structure and organization-wide\n                   risk management strategy as described in NIST SP 800-37, Rev.1.\n                   No\n                             Comments:       See comment in 5.1.\n          5.1.3    Addresses risk from a mission and business process perspective and is guided by the risk decisions from an organizational\n                   perspective, as described in NIST SP 800-37, Rev. 1.\n                   Yes\n          5.1.4    Addresses risk from an information system perspective and is guided by the risk decisions from an organizational perspective and the\n                   mission and business perspective, as described in NIST SP 800-37, Rev. 1.\n                   Yes\n          5.1.5    Has an up-to-date system inventory.\n                   Yes\n          5.1.6    Categorizes information systems in accordance with government policies.\n                   Yes\n          5.1.7    Selects an appropriately tailored set of baseline security controls.\n                   Yes\n          5.1.8    Implements the tailored set of baseline security controls and describes how the controls are employed within the information system\n                   and its environment of operation.\n                   Yes\n          5.1.9    Assesses the security controls using appropriate assessment procedures to determine the extent to which the controls are\n                   implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for\n                   the system.\n                   No\n                             Comments:       The information security controls were adequately assessed for only 34 of OPM\'s 47 major systems in FY 2013.\n          5.1.10   Authorizes information system operation based on a determination of the risk to organizational operations and assets, individuals,\n                   other organizations, and the Nation resulting from the operation of the information system and the decision that this risk is acceptable.\n                   Yes\n\n\nOIG Report - Annual 2013                                                                                                                                       Page 7 of 16\n                                                                             For Official Use Only\n\x0cSection 5: Risk Management\n          5.1.11   Ensures information security controls are monitored on an ongoing basis including assessing control effectiveness, documenting\n                   changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting\n                   the security state of the system to designated organizational officials.\n                   No\n                             Comments:       OPM\'s continuous monitoring program is not scheduled for full implementation until FY 2015.\n          5.1.12   Information-system-specific risks (tactical), mission/business-specific risks, and organizational-level (strategic) risks are\n                   communicated to appropriate levels of the organization.\n                   Yes\n          5.1.13   Senior officials are briefed on threat activity on a regular basis by appropriate personnel (e.g., CISO).\n                   Yes\n          5.1.14   Prescribes the active involvement of information system owners and common control providers, chief information officers, senior\n                   information security officers, authorizing officials, and other roles as applicable in the ongoing management of information\n                   system-related security risks.\n                   Yes\n          5.1.15   Security authorization package contains system security plan, security assessment report, and POA&M in accordance with\n                   government policies. (NIST SP 800-18, 800-37).\n                   Yes\n          5.1.16   Security authorization package contains accreditation boundaries, defined in accordance with government policies, for organization\n                   information systems.\n                   Yes\n5.2      Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s Risk Management Program that was not noted in the\n         questions above.\n          No Current Entries\n\nSection 6: Security Training\n\n\n\n\nOIG Report - Annual 2013                                                                                                                                 Page 8 of 16\n                                                                             For Official Use Only\n\x0cSection 6: Security Training\n6.1      Has the organization established a security training program that is consistent with FISMA requirements, OMB policy, and applicable NIST\n         guidelines? Besides the improvement opportunities that may have been identified by the OIG, does the program include the following\n         attributes?\n          Yes\n          6.1.1   Documented policies and procedures for security awareness training (NIST SP 800-53: AT-1).\n                  Yes\n          6.1.2   Documented policies and procedures for specialized training for users with significant information security responsibilities.\n                  Yes\n          6.1.3   Security training content based on the organization and roles, as specified in organization policy or standards.\n                  Yes\n          6.1.4   Identification and tracking of the status of security awareness training for all personnel (including employees, contractors, and other\n                  organization users) with access privileges that require security awareness training.\n                  Yes\n          6.1.5   Identification and tracking of the status of specialized training for all personnel (including employees, contractors, and other\n                  organization users) with significant information security responsibilities that require specialized training.\n                  Yes\n          6.1.6   Training material for security awareness training contains appropriate content for the organization (NIST SP 800-50, 800-53).\n                  Yes\n6.2      Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s Security Training Program that was not noted in the\n         questions above.\n          No Current Entries\n\nSection 7: Plan Of Action & Milestones (POA&M)\n7.1      Has the organization established a POA&M program that is consistent with FISMA requirements, OMB policy, and applicable NIST\n         guidelines and tracks and monitors known information security weaknesses? Besides the improvement opportunities that may have been\n         identified by the OIG, does the program include the following attributes?\n          Yes\n\n\n\nOIG Report - Annual 2013                                                                                                                                    Page 9 of 16\n                                                                           For Official Use Only\n\x0cSection 7: Plan Of Action & Milestones (POA&M)\n          7.1.1   Documented policies and procedures for managing IT security weaknesses discovered during security control assessments and that\n                  require remediation.\n                  Yes\n          7.1.2   Tracks, prioritizes and remediates weaknesses.\n                  Yes\n          7.1.3   Ensures remediation plans are effective for correcting weaknesses.\n                  No\n                           Comments:      See comments in 7.1.4.\n          7.1.4   Establishes and adheres to milestone remediation dates.\n                  No\n                           Comments:      Our review indicated that many system owners are not meeting the self-imposed remediation deadlines listed on the\n                                          POA&Ms. Of OPM\xe2\x80\x99s 47 major systems, 22 have POA&M items that are greater than 120 days overdue. We believe that\n                                          this indicates that POA&M remediation plans are not effective for correcting weaknesses.\n          7.1.5   Ensures resources and ownership are provided for correcting weaknesses.\n                  No\n                           Comments:      We interviewed the system owners of five OPM systems with overdue POA&M items. Each owner stated that although\n                                          they have identified the resources required to address the POA&M items, these resources are not currently available.\n          7.1.6   POA&Ms include security weaknesses discovered during assessments of security controls and that require remediation (do not need\n                  to include security weakness due to a risk-based decision to not implement a security control) (OMB M-04-25).\n                  Yes\n          7.1.7   Costs associated with remediating weaknesses are identified (NIST SP 800-53, Rev. 3, Control PM-3 and OMB M-04-25).\n                  No\n                           Comments:      We noted that the owners of 10 out of OPM\'s 47 systems have not identified the resources needed to address POA&M\n                                          weaknesses, as required by OPM\xe2\x80\x99s POA&M policy.\n\n\n\n\nOIG Report - Annual 2013                                                                                                                                     Page 10 of 16\n                                                                            For Official Use Only\n\x0cSection 7: Plan Of Action & Milestones (POA&M)\n          7.1.8   Program officials report progress on remediation to CIO on a regular basis, at least quarterly, and the CIO centrally tracks, maintains,\n                  and independently reviews/validates the POA&M activities at least quarterly (NIST SP 800-53, Rev. 3, Control CA-5; OMB\n                  M-04-25).\n                  Yes\n7.2      Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s POA&M Program that was not noted in the questions\n         above.\n          No Current Entries\n\nSection 8: Remote Access Management\n8.1      Has the organization established a remote access program that is consistent with FISMA requirements, OMB policy, and applicable NIST\n         guidelines? Besides the improvement opportunities that may have been identified by the OIG, does the program include the following\n         attributes?\n          Yes\n          8.1.1   Documented policies and procedures for authorizing, monitoring, and controlling all methods of remote access (NIST SP 800-53: AC-1,\n                  AC-17).\n                  Yes\n          8.1.2   Protects against unauthorized connections or subversion of authorized connections.\n                  Yes\n          8.1.3   Users are uniquely identified and authenticated for all access (NIST SP 800-46, Section 4.2, Section 5.1).\n                  Yes\n          8.1.4   Telecommuting policy is fully developed (NIST SP 800-46, Section 5.1).\n                  Yes\n          8.1.5   If applicable, multi-factor authentication is required for remote access (NIST SP 800-46, Section 2.2, Section 3.3).\n                  Yes\n          8.1.6   Authentication mechanisms meet NIST Special Publication 800-63 guidance on remote electronic authentication, including strength\n                  mechanisms.\n                  Yes\n\n\n\nOIG Report - Annual 2013                                                                                                                                     Page 11 of 16\n                                                                           For Official Use Only\n\x0c\x0cSection 9: Contingency Planning\n          9.1.1   Documented business continuity and disaster recovery policy providing the authority and guidance necessary to reduce the impact of a\n                  disruptive event or disaster (NIST SP 800-53: CP-1).\n                  Yes\n          9.1.2   The organization has incorporated the results of its system\xe2\x80\x99s Business Impact Analysis (BIA) into the analysis and strategy\n                  development efforts for the organization\xe2\x80\x99s Continuity of Operations Plan (COOP), Business Continuity Plan (BCP), and Disaster\n                  Recovery Plan (DRP) (NIST SP 800-34).\n                  Yes\n          9.1.3   Development and documentation of division, component, and IT infrastructure recovery strategies, plans and procedures (NIST SP\n                  800-34).\n                  Yes\n          9.1.4   Testing of system specific contingency plans.\n                  No\n                           Comments:       We received evidence that contingency plans were tested for only 40 of 47 systems in FY 2013. Of the contingency plan\n                                           tests we did receive, we continue to notice inconsistency in the quality of the documentation produced for various OPM\n                                           systems.\n          9.1.5   The documented BCP and DRP are in place and can be implemented when necessary (FCD1, NIST SP 800-34).\n                  Yes\n          9.1.6   Development of test, training, and exercise (TT&E) programs (FCD1, NIST SP 800-34, NIST SP 800-53).\n                  Yes\n          9.1.7   Testing or exercising of BCP and DRP to determine effectiveness and to maintain current plans.\n                  No\n                           Comments:       Many OPM systems reside on one of the agency\xe2\x80\x99s general support systems. However, two of these general support\n                                           systems were not adequately tested in FY 2013. In the FY 2011 FISMA audit report we recommended that the OCIO\n                                           implement a centralized (agency-wide) approach to contingency plan testing. We were informed that a single synchronized\n                                           functional test is not feasible due to logistical and resource limitations. However, the intent of the recommendation is to\n                                           ensure that all elements of the general support systems are subject to a full functional disaster recovery test each year. This\n                                           recommendation can be remediated if each general support system is subject to a full functional test each year, even if it must\n                                           be broken into a series of smaller tests.\n\n\nOIG Report - Annual 2013                                                                                                                                            Page 13 of 16\n                                                                            For Official Use Only\n\x0cSection 9: Contingency Planning\n          9.1.8    After-action report that addresses issues identified during contingency/disaster recovery exercises (FCD1, NIST SP 800-34).\n                   No\n                            Comments:      As mentioned in 9.1.4, seven systems were not subject to contingency plan testing in FY 2013, and therefore no after action\n                                           report was developed.\n          9.1.9    Systems that have alternate processing sites (FCD1, NIST SP 800-34, NIST SP 800-53).\n                   Yes\n          9.1.10   Alternate processing sites are not subject to the same risks as primary sites (FCD1, NIST SP 800-34, NIST SP 800-53).\n                   Yes\n          9.1.11   Backups of information that are performed in a timely manner (FCD1, NIST SP 800-34, NIST SP 800-53).\n                   Yes\n          9.1.12   Contingency planning that considers supply chain threats.\n                   Yes\n9.2      Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s Contingency Planning Program that was not noted in the\n         questions above.\n          No Current Entries\n\nSection 10: Contractor Systems\n10.1     Has the organization established a program to oversee systems operated on its behalf by contractors or other entities, including organization\n         systems and services residing in the cloud external to the organization? Besides the improvement opportunities that may have been identified\n         by the OIG, does the program includes the following attributes?\n          Yes\n          10.1.1   Documented policies and procedures for information security oversight of systems operated on the organization\xe2\x80\x99s behalf by\n                   contractors or other entities, including organization systems and services residing in a public cloud.\n                   Yes\n\n\n\n\nOIG Report - Annual 2013                                                                                                                                          Page 14 of 16\n                                                                            For Official Use Only\n\x0cSection 10: Contractor Systems\n          10.1.2   The organization obtains sufficient assurance that security controls of such systems and services are effectively implemented and\n                   comply with Federal and organization guidelines (NIST SP 800-53: CA-2).\n                   No\n                            Comments:       OPM policy states that system owners must ensure that an annual security controls test is performed for contractor-operated\n                                            systems by a government employee or an independent third party at the site where contracted information technology\n                                            services are rendered. However, only 14 of 21 contractor operated systems were adequately tested in FY 2013.\n          10.1.3   A complete inventory of systems operated on the organization\xe2\x80\x99s behalf by contractors or other entities, including organization systems\n                   and services residing in a public cloud.\n                   Yes\n          10.1.4   The inventory identifies interfaces between these systems and organization-operated systems (NIST SP 800-53: PM-5).\n                   Yes\n          10.1.5   The organization requires appropriate agreements (e.g., MOUs, Interconnection Security Agreements, contracts, etc.) for interfaces\n                   between these systems and those that it owns and operates.\n                   Yes\n          10.1.6   The inventory of contractor systems is updated at least annually.\n                   Yes\n          10.1.7   Systems that are owned or operated by contractors or entities, including organization systems and services residing in a public cloud,\n                   are compliant with FISMA requirements, OMB policy, and applicable NIST guidelines.\n                   Yes\n10.2     Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s Contractor Systems Program that was not noted in the\n         questions above.\n          No Current Entries\n\nSection 11: Security Capital Planning\n11.1     Has the organization established a security capital planning and investment program for information security? Besides the improvement\n         opportunities that may have been identified by the OIG, does the program include the following attributes?\n          Yes\n\n\n\nOIG Report - Annual 2013                                                                                                                                           Page 15 of 16\n                                                                             For Official Use Only\n\x0cSection 11: Security Capital Planning\n          11.1.1   Documented policies and procedures to address information security in the capital planning and investment control (CPIC) process.\n                   Yes\n          11.1.2   Includes information security requirements as part of the capital planning and investment process.\n                   Yes\n          11.1.3   Establishes a discrete line item for information security in organizational programming and documentation (NIST SP 800-53: SA-2).\n                   Yes\n          11.1.4   Employs a business case/Exhibit 300/Exhibit 53 to record the information security resources required (NIST SP 800-53: PM-3).\n                   Yes\n          11.1.5   Ensures that information security resources are available for expenditure as planned.\n                   Yes\n11.2     Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s Security Capital Planning Program that was not noted in\n         the questions above.\n          No Current Entries\n\n\n\n\nOIG Report - Annual 2013                                                                                                                                Page 16 of 16\n                                                                           For Official Use Only\n\x0c'